kelunik / acme Goto Github PK

Depends on php-src support, see https://bugs.php.net/bug.php?id=61204 and php/php-src#1686

In the class Kelunik/Acme/AcmeService the following piece of code occurs on multiple occasions in slightly different forms:

try {
    return Authorization::fromResponse($url, $response->getBody()->buffer());
} catch (\Throwable $_) {
    throw $this->generateException($response, $response->getBody()->buffer());
}

This can lead to the following Exception: "Can't buffer() a payload more than once" in /vendor/amphp/byte-stream/src/Payload.php(96)

This happens when there is a response which cannot be parsed successfully. The method $response->getBody()->buffer() is called twice in this situation, resulting in the error above.

A solution for this issue could be to first store the responseBuffer in a local variable, to avoid reading it twice:

$responseBuffer = $response->getBody()->buffer()
try {
    return Authorization::fromResponse($url, responseBuffer);
} catch (\Throwable $_) {
    throw $this->generateException($response, responseBuffer);
}

If you prefer I could make a pull request for this

See kelunik/acme-client#2

Certificates should be validated before being deployed.

I'm having an issues with amphp/dns: DefaultResolver.php, 632 - "Undefined offset: 8". I suspect this is a bug in amphp/dns which might have been resolved in a newer version of amphp/dns, seeing that the class DefaultResolver doesn't exist anymore.

Furthermore, I don't see much recent activity on the kelunik/acme repo. Is there any intention of working towards a new version which will use amphp/amp 2.x?

Following links to https://blog.kelunik.com/docs/acme/classes/AcmeService.html#register etc gives 404.

With ACME v2, it's now possible to issue wildcards.

https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579

Depends on #31.

https://www.rfc-editor.org/rfc/rfc8737.html

Hi, I really need the "namshi/jose": "^7", constraint from master that isn't present in the latest release 0.3.3.

Is there a good reason why you haven't released the changes yet?

Thanks!

[Kelunik\Acme\AcmeException]                                                                      
  Invalid response: JWS has invalid anti-replay nonce oJ29ZCkwqoQ4yg6NOHQHRbbQn5UpC77hTql5AGy87FM.  
  Request URI: https://acme-staging.api.letsencrypt.org/acme/new-cert.

This exception happens when I use the same AcmeClient and AcmeService instantiation to complete a challenge and then request certificate in one script. When I just do one of them, there is no such problem. I'm not sure what's the real issue (it may be my mistake), so I'd appreciate any troubleshooting help.

Hi, is it possible to create a new release whenever it is safe to use?
We are using a fork of your repo atm, and fetched it recently to be up-to-date with yours.

Basically, our fork is equal to yours now. But you don't have a release yet with this new ACME v2 changes.

Let's Encrypt is now using ACME v2 protocol.
https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579

For the creation of an CSR the dn parameter of openssl_csr_new only needs the definition of 'CN' to work with domain validated certificate.

https://github.com/kelunik/acme/blame/dd01ee543932b8ca51cb2b9d3fe2efd097fbba66/lib/AcmeService.php#L363 could be reduced to just:

$csr = openssl_csr_new([
            "CN" => reset($domains),
        ], $privateKey, [
            "digest_alg" => "sha256",
            "req_extensions" => "v3_req",
            "config" => $tempFile,
        ]);

The certificate download url (at least for dns-01) returns HTTP 202 after it's done.

It is

"status": "valid",

but still is http 202.

Hence the current implementation loops forever.

I am using below command to renew certificate of one of my domain using lets encrypt service but after using the below command, I see that the certificate is renewed for only 5-6 days
php acme-client/bin/acme issue --domains example.com:www.example.com --path /home/peter/example:/home/peter/example --server letsencrypt

Is this expected or something is wrong in my command ?

It should be possible to pass CSRs instead of a list of domains when requesting a certificate.

The following line appends the SAN to the config file: OpenSSLCSRGenerator.php#L71
This behaviour is altered in: b078e8a

This results in openssl_csr_new() returning false. When using openssl_error_string() the following error is returned: error:0E079065:configuration file routines:DEF_LOAD_BIO:missing equal sign

To resolve this . "\n" . $san . "\n" should be removed.

There's a possibility to delete accounts. It should be supported by this library.

The Acme service can return certain error codes, as described here: https://letsencrypt.github.io/acme-spec/#rfc.section.5.4

Currently, HTTP errors will be thrown with the response body as plain text in the message.

It would be more useful to create a AcmeHttpException which can be constructed using the response object and provides an actual useful message?

Invalid response code: 400 {"type":"urn:acme:error:badNonce","detail":"Unable to read/verify body :: JWS has invalid anti-replay nonce","status":400}

Could be:

Invalid Acme HTTP Response: badNonce (code 400). Unable to read/verify body :: JWS has invalid anti-replay nonce.

Issue mentioned in: https://community.letsencrypt.org/t/breaking-changes-in-asynchronous-order-finalization-api/195882

Our client implementation was relying on the finalizeOrder response, which should return the Order object.
However, it looks like the finalizeOrder response does not longer contain the location uri for the order as of today.

Therefor, we needed to update our implementation to resolve the order once again after finalising the order.

AcmeService.php -> finalizeOrder

      if ($response->getStatus() === 200) {
            return Order::fromResponse($response->getHeader('location'), $response->getBody()->buffer());
        }

CAA records are now enforced and issue attempts which are blocked due to CAA give an unhelpful error message currently. A CAA validator should be added to catch such errors early and provide helpful error messages.

I'm having trouble using dns01 challenge.
As far as i can understand from the token received from the challenge I have to generated a string to put in the _acme-challenge.[domain] dns record.
I've tried to use generateHttp01Payload and use this as the string for the dns record and the payload, but I always get Challenge marked as invalid! from the staging server.

Can you please help?

There are none!